03-03-2014 06:46 AM - edited 07-05-2021 12:19 AM
Hello,
Just checking to see if there are 2 anchor controllers in different locations, that if client A connects to anchor controller A and client B connects to anchor controller B, will there be Layer 2 isolation between the 2 clients?
Thanks,
Jason
03-03-2014 06:53 AM
It depends. I'd say yes by default, but if you allowed connectivity between the subnets...
Steve
Sent from Cisco Technical Support iPhone App
03-03-2014 06:54 AM
Thanks Stephen. They share the same subnet, and I can communicate between hosts on the same anchor, but not with a host on the other anchor. Was trying to figure out if this is by design of the technology, or if there is a setting that changes this.
Thanks,
Jason
03-03-2014 11:43 AM
If the clients are all on the same subnet, it's weird that they can't communicate, I can ask my clients to test this out. It might just be a limitation of the technology of using multiple anchors.
Thanks,
Scott
*****Help out other by using the rating system and marking answered questions as "Answered"*****
03-03-2014 12:06 PM
Well... my client was able to join the guest network and get anchored to one of the guest anchors and ping another device on a different anchor.
Thanks,
Scott
*****Help out other by using the rating system and marking answered questions as "Answered"*****
03-03-2014 12:07 PM
Jason, same subnet, different anchors? how are the anchors communitcating, thorugh a firewall?
HTH,
Steve
------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
03-03-2014 01:18 PM
is the network topology as this smiple sketch ?
03-03-2014 01:21 PM
yes, that is accurate. Different hosts connecting to the same SSID, but go to different anchor controllers that connect to different firewalls. I can ping everything that connects to the same anchor, but nothing that connects to the other anchor. I am wondering if its just the EoIP tunnels that is blocking that access.
Thanks,
Jason
03-03-2014 01:24 PM
But the subnet is tied together correct, meaning that the users are put in the exact same layer 2 subnet in the DMZ?
Sent from Cisco Technical Support iPhone App
03-03-2014 01:26 PM
Correct, but I don't see arp or anyting from any host connected to the other anchor controller.
03-03-2014 01:27 PM
one last question just for confirmation , you have two WLANs on the forgien WLC with the same SSID , right ?
if yes , then you can replace each anchor WLC with a L2 switch and consider that the clients are directly connected to these switches , if these switches do L2 isolation between the clients , then the WLCs do .
03-03-2014 01:40 PM
the same SSID is created on the local controller and both anchor controllers.
03-03-2014 01:48 PM
ok, what i'm trying to say that if there is communication between client A and client B it's would not be through the mobility tunnels between the WLCs , it will be through the switched network .
03-03-2014 04:24 PM
Correct. I just wanted to make sure what I was seeing was sane. I thought it was because of the way EoIP and CAPWAP tunnels work. So broadcasts and such would not cross them, therefore I would only communicate to hosts that are connected to the same anchor controller via that tunnel.
thanks,
Jason
03-03-2014 04:44 PM
The anchor WLC is putting the guest in the same switched subnet correct? if so, it would be the same as if you were connected wired, you should be able to ping any device on that same layer 2 network.
Thanks,
Scott
*****Help out other by using the rating system and marking answered questions as "Answered"*****
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide